GLBA Privacy Requirements. Under the GLBA, financial institutions are restricted as to when they may disclose consumer personal information to nonaffiliated third parties. Financial institutions must provide “Privacy Notices” to their customers about their information-sharing practices. Subject to certain exceptions, customers may opt-out if they do not want their information shared with nonaffiliated third parties. The content of these notices may vary based on the relationship with the consumer and the data sharing practices of the business. The Privacy Rule includes several model “safe harbor” notices that can be used by any company to describe their privacy practices and provide the necessary opt-out for sharing of certain information. GLBA Safeguards Requirements. The GLBA requires financial institutions, or those handling financial information, to have a written information security plan that describes their program to protect customer information. The plan must be appropriate for the size, scope of activities, and sensitivity of the customer information collected by the business. The federal banking regulatory agencies issued an Interagency Guidelines Establishing Information Security Standards and the Interagency Guidelines Establishing Standards for Safeguarding Customer Information to further define these requirements. The plan required by the Interagency Guidelines requires the business to: 1) designate one or more employees to coordinate an information security program; 2) identify and assess the risks to customer information in each relevant area of operation, and assess the effectiveness of the current safeguards; 3) develop a plan for safeguarding customer information, and regularly monitor and test the safeguards program; 4) exercise due diligence in selecting service providers (third-party vendors) and require them to implement safeguards; and 5) evaluate and adjust the program as needed. Examples of such safeguards that can help protect against unauthorized access to, or use of, nonpublic personal information of individuals include: 1) data encryption; 2) authentication mechanisms; 3) background checks; and 4) frequent monitoring and testing of information security protocols and systems. 9
Made with FlippingBook - Online Brochure Maker